CN112787819B - Industrial control safety communication system and communication method - Google Patents

Abstract

The invention relates to an industrial control safety communication system and a communication method, comprising a cloud end and at least two control ends; the cloud comprises a certificate server, a cloud security module and an industrial control server; the control end comprises a 5G communication module, a control end safety module and an industrial control module; the industrial control server is connected with the 5G communication module, the control ends are in communication connection through a field bus, and the cloud end safety module and the control end safety module provide password service and a safety storage function; the cryptographic service function comprises random number generation, signature verification operation, encryption and decryption operation, session key generation and hash operation; the industrial control server calls the cloud security module to provide a password service function; the industrial control module calls the control end security module to provide a password service function and a security storage function; the certificate server generates a public key certificate for the cloud end, and writes the public key into the control end security module; the cloud security module stores the corresponding private key, so that the communication between the industrial control modules is safe, reliable, simple and efficient.

Description

Industrial control safety communication system and communication method

Technical Field

The invention belongs to the technical field of industrial control communication, and particularly relates to an industrial control safety communication system and a communication method for ensuring safety encryption communication among a plurality of industrial control modules on a field bus.

Background

A Field bus (Field bus) is a technology that is applied to a production Field and performs bidirectional, serial, and multinode digital communication between Field devices and between a Field device and a control apparatus. The digital communication method mainly solves the problems of digital communication among field devices such as controllers, intelligent instruments and meters, actuating mechanisms and the like in industrial fields and information transmission between the field control devices and a high-level control system. The industrial data communication network is used as the basis of an industrial data communication network, links the production process field level control equipment and the connection between the production process field level control equipment and a higher control management layer, and is not only a base layer network, but also an open type novel full-distributed control system. Because the field bus has a series of outstanding advantages such as simple, reliable, economical and practical, the field bus receives high attention from a plurality of standard groups and computer manufacturers, becomes one of the hotspots of the technical development of the current automation field, and is known as the computer local area network of the automation field. A plurality of industrial control modules can be connected to one field bus, and the industrial control modules can mutually transmit related control and data information conveniently and efficiently.

However, while the fieldbus brings convenience, rapidness and practicability to communication among a plurality of industrial control modules, a considerable potential safety hazard also exists. For example, the identity of the industrial control modules is counterfeited, information transmitted between the industrial control modules is intercepted, tampered, replayed and the like, and the security threats are likely to cause major accidents, serious economic losses or other adverse effects.

As a new generation of mobile communication technology, 5G is used not only for person-to-person communication but also for person-to-object and object-to-object communication, thereby realizing true mutual object interconnection. 5G technically plans three application scenarios: eMBB (enhanced mobile broadband), mMTC (mass machine type communication) and URLLC (ultra-high reliability and ultra-low delay communication) so as to meet the requirements of vertical application on large-bandwidth data transmission, mass network connection and ultra-low delay control.

How to carry out the safe encryption communication among the industrial control modules on the field bus by utilizing the 5G technology of ultra-high reliability and ultra-low time delay communication according to the characteristics and the problems of the mutual communication among the industrial control modules on the field bus is a problem which needs to be solved urgently at present.

Disclosure of Invention

The invention aims to overcome the defects of the prior art and provide an industrial control safety communication system and a communication method which enable mutual communication among a plurality of industrial control modules on a field bus to be safe, reliable, simple and efficient.

In order to achieve the purpose, the technical scheme adopted by the invention is as follows:

an industrial control safety communication system comprises a cloud end and at least two control ends connected with the cloud end through a 5G network; the cloud terminal also comprises a certificate server, a cloud terminal security module and an industrial control server which is respectively connected with the certificate server and the cloud terminal security module; the control end comprises a 5G communication module, a control end safety module and an industrial control module which is respectively connected with the 5G communication module and the control end safety module;

the industrial control server of the cloud is in communication connection with the 5G communication module of the control end through a 5G network so as to realize bidirectional communication between the cloud and the control end;

all control ends are in communication connection through a field bus so as to realize mutual communication;

the cloud security module and the control end security module are used for providing a password service function and a secure storage function; the cryptographic service function comprises random number generation, signature verification operation, encryption and decryption operation, session key generation and hash operation;

the industrial control server calls a corresponding password service function provided by the cloud security module; the industrial control module calls a corresponding password service function and a corresponding safe storage function provided by the control end safety module;

the certificate server generates and stores a corresponding public key certificate for the cloud end, and writes a public key in the public key certificate of the cloud end into a control end safety module of the control end in an off-line mode; the cloud security module stores a private key corresponding to a public key in a corresponding public key certificate.

The control ends are in communication connection through a field bus, specifically, industrial control modules of the control ends are in communication connection through the field bus, and the industrial control modules are in communication connection through the field bus respectively.

The control end security module and the cloud end security module are both security intelligent chips, the commercial cryptographic algorithm supported by the security intelligent chips comprises at least one of SM1, SM2 and SM3, and the supported international common cryptographic algorithm comprises at least one of 3DES, AES, RSA, SHA-1 and SHA-256; the secure intelligent chip supports storing a digital certificate; the safety intelligent chip provides a safety storage area and supports the safety storage of important information; the safety intelligent chip supports generation of random numbers; the certificate server maintains a certificate revocation list and provides a certificate revocation list query function.

A method for industrial control secure communication by using the industrial control secure communication system comprises a preparation phase, a group session key negotiation phase and a group secure encryption communication phase;

step 1), the preparation phase specifically comprises the following steps:

at least two control terminals are used as members of session key negotiation of the secure communication group and are unified by CE_iWherein i is 1,2, …, n; n is a natural number greater than 1; a control end group session key safety storage area is arranged in a control end safety module of the control end; the control end group session key secure storage area is uniformly used by KZ_iWherein i is 1,2, …, n; n is a natural number greater than 1; k is a group session key to be negotiated;

the industrial control server at the cloud end generates the following system parameters: g₁And G₂A cyclic addition group and a cyclic multiplication group with the order of q, and bilinear mapping DL: G₁×G₁→G₂，P∈G₁Random selection of

As the random number of the key agreement, the hash function H: {0,1}^*→ G1; the industrial control server discloses system parameters<P,DL,q,G₁,G₂,H,t>(ii) a Wherein

In order to be a finite field, the method comprises the following steps,

the unit cell of (a) is e; ID_iIs CE_iOf a unique identity, Q_i＝H(ID_i) Is CE_iThe public key of (2); ID_iAnd Q_iAre disclosed wherein i ═ 1,2, …, n; n is a natural number greater than 1;

each CE_iRandom selection

Calculating s_i＝b_iQ_i，s_iIs CE_iThe private key of (1); then, the CE_iRandom selection

Calculating D_i＝c_is_i(ii) a Then, D is processed in an off-line mode_iTransmitting to the industrial control server of the cloud end or by using the public key pair D in the public key certificate of the cloud end_iAfter being encrypted, the data are transmitted to the industrial control server at the cloud end through a 5G network; the industrial control server utilizes a private key corresponding to the public key of the cloud end to decrypt, so that D is obtained and stored_i(ii) a The industrial control server establishes an ID_iAnd D_iThe corresponding relationship of (a); each CE_iTaking random numbers

Each CE_iCalculate and save c_iMultiplicative inverse element of

Wherein

Wherein i is 1,2, …, n; n is a natural number greater than 1;

step 2), the group session key negotiation stage specifically includes the following steps:

step 21) of each CE_iEach generating E_i＝c_iQ_iAnd V_i＝s_iP, then the triplets are separated<ID_i,V_i,E_i>Is sent to each CE_jWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;

step 22), CE_jReceived CE_iSending triplet<ID_i,V_i,E_i>Thereafter, obtaining and ID from the industrial control server_iCorresponding D_iThen, DL (V) is calculated separately_i,E_i) And DL (Q)_iP,D_i) And comparing the values of the two to CE_iVerifying, if the values are different, the verification fails, and the CE_jTo each CE_iSending a verification failure identifier VERFAIL by the industrial control server, and terminating the group session key negotiation process; if the two values are the same, the verification is passed, and the next step is continued;

step 23), CE_iCalculating M_i＝c_iP, then sent to each CE separately_jWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;

step 24), CE_jReceived CE_iM coming from_iThen, calculate N_ji＝g_jM_iThen N is added_jiIs sent to CE_i；

Step 25), CE_iReceived CE_jN coming from_jiThen, calculate

CE_iCalculating r_i＝g_iP; then, CE_iComputing

Wherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1,

each CE_iWill K_iStored in KZ_i(ii) a Group session key K ═ K_i；

Step 3), the group security encryption communication stage specifically comprises the following steps:

after successful negotiation of the group session key K, each CE_iWherein i is 1,2, …, n; n is a natural number greater than 1, group secure encrypted communication can be performed using the group session key K.

The invention has the following positive effects:

according to the industrial control safety communication system and the communication method provided by the invention, a safe and efficient group session key negotiation protocol is provided through a public key cryptosystem based on identity, a group session key for safety communication is established among all industrial control modules, and the problem of mutual safety communication among all industrial control modules on a field bus is solved; in the group session key agreement process, system parameters required by the agreement are generated by a cloud through a 5G network with ultra-high reliability and ultra-low time delay communication, required related data are provided for all participants, and all the participants are assisted to solve the problem of identity authentication in the group session key agreement process.

In summary, according to the characteristics of mutual communication between 5G and a plurality of industrial control modules on a field bus, the industrial control secure communication system and the communication method provided by the present invention implement identity authentication and group secure encryption communication between the industrial control modules, effectively solve the problem of insufficient security in the prior art, and enable the identity authentication and group secure encryption communication between the industrial control modules on the field bus to be safe, reliable, simple and efficient.

Drawings

FIG. 1 is a block diagram of an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

The embodiment of the invention provides an industrial control secure communication method which can be applied to the environment shown in figure 1 and comprises a cloud end and at least two control ends; the cloud comprises a certificate server, a cloud security module and an industrial control server which is respectively connected with the certificate server and the cloud security module; the control end comprises a 5G communication module, a control end safety module and an industrial control module which is respectively connected with the 5G communication module and the control end safety module; the industrial control server of the cloud end is in communication connection with the 5G communication module of the control end through a 5G network, so that bidirectional communication between the cloud end and the control end is realized;

the at least two control ends are in communication connection through a field bus so as to realize mutual communication; the cloud security module and the control end security module are used for providing a password service function and a secure storage function; the cryptographic service function comprises random number generation, signature verification operation, encryption and decryption operation, session key generation and hash operation; the industrial control server calls a corresponding password service function provided by the cloud security module; the industrial control module calls a corresponding password service function and a corresponding safe storage function provided by the control end safety module;

the certificate server generates and stores a corresponding public key certificate for the cloud end, and writes a public key in the public key certificate of the cloud end into a control end safety module of the control end in an off-line mode; and the cloud security module of the cloud stores a private key corresponding to the public key in the corresponding public key certificate.

The industrial control secure communication method comprises a preparation stage, a group session key negotiation stage and a group secure encryption communication stage;

the preparation stage specifically comprises the following steps:

step 1), the at least two control terminals are used as members of the session key negotiation of the secure communication group and are uniformly used by the CE_iWherein i is 1,2, …, n; n is a natural number greater than 1; a control end group session key safety storage area is arranged in a control end safety module of the control end; the control end group session key secure storage area is uniformly used by KZ_iWherein i is 1,2, …, n; n is a natural number greater than 1; k is a group session key to be negotiated;

the industrial control server at the cloud generates the following system parameters: g₁And G₂A cyclic addition group and a cyclic multiplication group with the order of q, and bilinear mapping DL: G₁×G₁→G₂，P∈G₁Random selection of

As the random number of the key agreement, the hash function H: {0,1}^*→ G1; the industrial control server discloses system parameters<P,DL,q,G₁,G₂,H,t>(ii) a Wherein

In order to be a finite field, the method comprises the following steps,

the unit cell of (a) is e; ID_iIs CE_iOf a unique identity, Q_i＝H(ID_i) Is CE_iThe public key of (2); ID_iAnd Q_iAre disclosed wherein i ═ 1,2, …, n; n is a natural number greater than 1;

the disclosure as described herein refers to each CE_iThe relevant information can be obtained, wherein i is 1,2, …, n; n is a natural number greater than 1;

each CE_iRandom selection

Calculating s_i＝b_iQ_i，s_iIs CE_iThe private key of (1); then, the CE_iRandom selection

Calculating D_i＝c_is_i(ii) a Then, D is processed in an off-line mode_iThe industrial control server transmitted to the cloud end or the public key pair D in the public key certificate of the cloud end is used_iThe encrypted data is transmitted to the industrial control server at the cloud end through a 5G network; the industrial control server decrypts the data by using a private key corresponding to the public key of the cloud end to obtain and store the data D_i(ii) a The industrial control server establishes an ID_iAnd D_iThe corresponding relationship of (a); each CE_iTaking random numbers

Each CE_iCalculate and save c_iMultiplicative inverse element of

Wherein

Wherein i is 1,2, …, n; n is a natural number greater than 1;

step 2), the group session key negotiation stage specifically includes the following steps:

step 21, each CE_iEach generating E_i＝c_iQ_iAnd V_i＝s_iP, then the triplets are separated<ID_i,V_i,E_i>Is sent to each CE_jWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;

step 22, CE_jReceived CE_iSending triplet<ID_i,V_i,E_i>Thereafter, obtaining and ID from the industrial control server_iCorresponding D_iThen, DL (V) is calculated separately_i,E_i) And DL (Q)_iP,D_i) And comparing the values of the two to CE_iVerification was performed, DL (V) under normal conditions_i,E_i)＝DL(s_iP,c_iQ_i)＝DL(b_iQ_iP,c_iQ_i)＝DL(Q_iP,Q_i)^bici；DL(Q_iP,D_i)＝DL(Q_iP,c_is_i)＝DL(Q_iP,c_ib_iQ_i)＝DL(Q_iP,Q_i)^bici；CE_jAfter calculating the two values, if the values are different, the verification fails, and the CE_jTo each CE_iSending a verification failure identifier VERFAIL by the industrial control server, and terminating the group session key negotiation process; if the two values are the same, the verification is passed, and the next step is continued;

step 23, CE_iCalculating M_i＝c_iP, then sent to each CE separately_jWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;

step 24, CE_jReceived CE_iM coming from_iThen, calculate N_ji＝g_jM_iThen N is added_jiIs sent to CE_i；

Step 25, CE_iReceived CE_jN coming from_jiThen, calculate

CE_iCalculating r_i＝g_iP; then, CE_iComputing

Wherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1,

each CE_iWill K_iStored in KZ_i(ii) a Group session key K ═ K_i；

Step 3), the group security encryption communication stage specifically comprises the following steps:

after successful negotiation of the group session key K, each CE_iWherein i is 1,2, …, n; n is a natural number greater than 1, group secure encrypted communication can be performed using the group session key K.

In this embodiment, the cloud invoking the password service function specifically means that the industrial control server of the cloud invokes a corresponding password service function provided by a cloud security module of the cloud;

the cloud end carries out bidirectional communication with the control end through a 5G network, specifically, the industrial control server of the cloud end carries out bidirectional communication with the industrial control module of the control end through the 5G communication module through the 5G network, and the control end calls the password service function and the safe storage function, specifically, the industrial control module of the control end calls the corresponding password service function and the safe storage function provided by the control end safety module of the control end;

the control ends are in communication connection through a field bus, in particular to the industrial control modules of the control ends are in communication connection through the field bus; the at least two control ends are communicated with each other, specifically, the industrial control modules of the control ends are communicated with each other through communication connection of field buses respectively;

the control terminal of the certificate server generates and stores a corresponding public key certificate; the control end security module of the control end stores a private key corresponding to a public key in a corresponding public key certificate;

the control end security module and the cloud end security module are both security intelligent chips, the commercial cryptographic algorithm supported by the security intelligent chips comprises at least one of SM1, SM2 and SM3, and the supported international common cryptographic algorithm comprises at least one of 3DES, AES, RSA, SHA-1 and SHA-256; the secure intelligent chip supports storing a digital certificate; the safety intelligent chip provides a safety storage area and supports the safety storage of important information; the safety intelligent chip supports generation of random numbers; the certificate server maintains a certificate revocation list and provides a certificate revocation list query function.

The invention negotiates a group session key for communication encryption by adopting a public key cryptosystem based on identity among all industrial control modules, and then uses the group session key to encrypt and protect communication contents when all parties communicate; and in the group session key negotiation process, the authentication and negotiation are mutually completed in the industrial control modules. In the authentication and negotiation process, bilinear pairings are used. Bilinear pairs are defined as follows:

let G₁For cyclic additive groups generated from p, the order is q, G₂Are cyclic multiplications of the same order q, a bilinear pair being a mapping DL that satisfies the following property G₁×G₁→G₂:

1) Bilinear: for all P, Q ∈ G₁，DL(aP,bQ)＝e(P,Q)^ab；

2) Non-degradability: presence P, Q ∈ G₁Let e (P, Q) not equal to 1;

3) calculability: for all P, Q ∈ G₁There is an efficient algorithm to compute DL (P, Q).

The identity in the identity-based public key cryptosystem refers to a string of meaningful numbers related to the user, such as an identification number, a mailbox address, and the like. In the encryption process, the encryptor uses the string of numbers representing the identity of the receiver as a public key to encrypt the content, the encryptor does not need to inquire the public key of the receiver to a trusted third party any more, great convenience is provided for management of public key information, and the receiver uses a private key corresponding to the identity to decrypt the content. In 1984, Shamir proposed the idea of an Identity-Based public key Cryptosystem (Identity-Based cryptography), and constructed an Identity-Based Signature system (IBS). That is, the public key in the signature system is the identity of the user, and when verifying the signature, the verifier verifies the signature using the identity of the signer as the public key.

The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention, and these are within the scope of the present invention. Therefore, the protection scope of the present invention should be subject to the appended claims.

Claims (4)

1. An industrial control safety communication system comprises a cloud end and at least two control ends connected with the cloud end through a 5G network; the cloud terminal also comprises a certificate server, a cloud terminal security module and an industrial control server which is respectively connected with the certificate server and the cloud terminal security module; the control end comprises a 5G communication module, a control end safety module and an industrial control module which is respectively connected with the 5G communication module and the control end safety module; the method is characterized in that:

the industrial control server of the cloud is in communication connection with the 5G communication module of the control end through a 5G network so as to realize bidirectional communication between the cloud and the control end;

all control ends are in communication connection through a field bus so as to realize mutual communication;

the cloud security module and the control end security module are used for providing a password service function and a secure storage function; the cryptographic service function comprises random number generation, signature verification operation, encryption and decryption operation, session key generation and hash operation;

the industrial control server calls a corresponding password service function provided by the cloud security module; the industrial control module calls a corresponding password service function and a corresponding safe storage function provided by the control end safety module;

the certificate server generates and stores a corresponding public key certificate for the cloud end, and writes a public key in the public key certificate of the cloud end into a control end safety module of the control end in an off-line mode; the cloud security module stores a private key corresponding to a public key in a corresponding public key certificate;

the industrial control secure communication system comprises a preparation stage, a group session key negotiation stage and a group secure encryption communication stage;

the preparation stage specifically comprises the following steps:

at least two control terminals are used as session key agreement of secure communication groupMembers of the business, unifying CEs_iWherein i is 1,2, …, n; n is a natural number greater than 1; a control end group session key safety storage area is arranged in a control end safety module of the control end; the control end group session key secure storage area is uniformly used by KZ_iWherein i is 1,2, …, n; n is a natural number greater than 1; k is a group session key to be negotiated;

the industrial control server at the cloud end generates the following system parameters: g₁And G₂A cyclic addition group and a cyclic multiplication group with the order of q, and bilinear mapping DL: G₁×G₁→G₂，P∈G₁Random selection of

As the random number of the key agreement, the hash function H: {0,1}^*→ G1; the industrial control server discloses system parameters<P,DL,q,G₁,G₂,H,t>(ii) a Wherein

In order to be a finite field, the method comprises the following steps,

the unit cell of (a) is e; ID_iIs CE_iOf a unique identity, Q_i＝H(ID_i) Is CE_iThe public key of (2); ID_iAnd Q_iAre disclosed wherein i ═ 1,2, …, n; n is a natural number greater than 1;

each CE_iRandom selection

Calculating s_i＝b_iQ_i，s_iIs CE_iThe private key of (1); then, the CE_iRandom selection

Calculating D_i＝c_is_i(ii) a Then, in an off-line mannerWill D_iTransmitting to the industrial control server of the cloud end or by using the public key pair D in the public key certificate of the cloud end_iAfter being encrypted, the data are transmitted to the industrial control server at the cloud end through a 5G network; the industrial control server utilizes a private key corresponding to the public key of the cloud end to decrypt, so that D is obtained and stored_i(ii) a The industrial control server establishes an ID_iAnd D_iThe corresponding relationship of (a); each CE_iTaking random numbers

Each CE_iCalculate and save c_iMultiplicative inverse element of

Wherein

Wherein i is 1,2, …, n; n is a natural number greater than 1;

the group session key negotiation stage specifically includes the following steps:

each CE_iEach generating E_i＝c_iQ_iAnd V_i＝s_iP, then the triplets are separated<ID_i,V_i,E_i>Is sent to each CE_jWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;

CE_jreceived CE_iSending triplet<ID_i,V_i,E_i>Thereafter, obtaining and ID from the industrial control server_iCorresponding D_iThen, DL (V) is calculated separately_i,E_i) And DL (Q)_iP,D_i) And comparing the values of the two to CE_iVerifying, if the values are different, the verification fails, and the CE_jTo each CE_iSending a verification failure identifier VERFAIL by the industrial control server, and terminating the group session key negotiation process; if the two values are the same, the verification is passed, and the next step is continued;

CE_icalculating M_i＝c_iP, then sent to each CE separately_jWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;

CE_jreceived CE_iM coming from_iThen, calculate N_ji＝g_jM_iThen N is added_jiIs sent to CE_i；

CE_iReceived CE_jN coming from_jiThen, calculate

CE_iCalculating r_i＝g_iP; then, CE_iComputing

Wherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1,

each CE_iWill K_iStored in KZ_i(ii) a Group session key K ═ K_i；

The group security encryption communication stage specifically comprises the following steps:

after successful negotiation of the group session key K, each CE_iWherein i is 1,2, …, n; n is a natural number greater than 1, group secure encrypted communication can be performed using the group session key K.

2. An industrial control security communication system according to claim 1, wherein: the control ends are in communication connection through a field bus, specifically, industrial control modules of the control ends are in communication connection through the field bus, and the industrial control modules are in communication connection through the field bus respectively.

3. An industrial control security communication system according to claim 1, wherein: the control end security module and the cloud end security module are both security intelligent chips, the commercial cryptographic algorithm supported by the security intelligent chips comprises at least one of SM1, SM2 and SM3, and the supported international common cryptographic algorithm comprises at least one of 3DES, AES, RSA, SHA-1 and SHA-256; the secure intelligent chip supports storing a digital certificate; the safety intelligent chip provides a safety storage area and supports the safety storage of important information; the safety intelligent chip supports generation of random numbers; the certificate server maintains a certificate revocation list and provides a certificate revocation list query function.

4. A method for industrial control secure communication using the industrial control secure communication system according to any one of claims 1 to 3, wherein: the industrial control secure communication method comprises a preparation stage, a group session key negotiation stage and a group secure encryption communication stage;

step 1), the preparation phase specifically comprises the following steps:

at least two control terminals are used as members of session key negotiation of the secure communication group and are unified by CE_iWherein i is 1,2, …, n; n is a natural number greater than 1; a control end group session key safety storage area is arranged in a control end safety module of the control end; the control end group session key secure storage area is uniformly used by KZ_iWherein i is 1,2, …, n; n is a natural number greater than 1; k is a group session key to be negotiated;

the industrial control server at the cloud end generates the following system parameters: g₁And G₂A cyclic addition group and a cyclic multiplication group with the order of q, and bilinear mapping DL: G₁×G₁→G₂，P∈G₁Random selection of

As the random number of the key agreement, the hash function H: {0,1}^*→ G1; the industrial control server discloses system parameters<P,DL,q,G₁,G₂,H,t>(ii) a Wherein

In order to be a finite field, the method comprises the following steps,

the unit cell of (a) is e; ID_iIs CE_iOf a unique identity, Q_i＝H(ID_i) Is CE_iThe public key of (2); ID_iAnd Q_iAre disclosed wherein i ═ 1,2, …, n; n is a natural number greater than 1;

each CE_iRandom selection

Calculating s_i＝b_iQ_i，s_iIs CE_iThe private key of (1); then, the CE_iRandom selection

Calculating D_i＝c_is_i(ii) a Then, D is processed in an off-line mode_iTransmitting to the industrial control server of the cloud end or by using the public key pair D in the public key certificate of the cloud end_iAfter being encrypted, the data are transmitted to the industrial control server at the cloud end through a 5G network; the industrial control server utilizes a private key corresponding to the public key of the cloud end to decrypt, so that D is obtained and stored_i(ii) a The industrial control server establishes an ID_iAnd D_iThe corresponding relationship of (a); each CE_iTaking random numbers

Each CE_iCalculate and save c_iMultiplicative inverse element of

Wherein

Wherein i is 1,2, …, n; n is a natural number greater than 1;

step 2), the group session key negotiation stage specifically includes the following steps:

step 21) of each CE_iEach generating E_i＝c_iQ_iAnd V_i＝s_iP, then the triplets are separated<ID_i,V_i,E_i>Is sent to each CE_jWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;

step 22), CE_jReceived CE_iSending triplet<ID_i,V_i,E_i>Thereafter, obtaining and ID from the industrial control server_iCorresponding D_iThen, DL (V) is calculated separately_i,E_i) And DL (Q)_iP,D_i) And comparing the values of the two to CE_iVerifying, if the values are different, the verification fails, and the CE_jTo each CE_iSending a verification failure identifier VERFAIL by the industrial control server, and terminating the group session key negotiation process; if the two values are the same, the verification is passed, and the next step is continued;

step 23), CE_iCalculating M_i＝c_iP, then sent to each CE separately_jWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;

step 24), CE_jReceived CE_iM coming from_iThen, calculate N_ji＝g_jM_iThen N is added_jiIs sent to CE_i；

Step 25), CE_iReceived CE_jN coming from_jiThen, calculate

CE_iCalculating r_i＝g_iP; then, CE_iComputing

Wherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1,

each CE_iWill K_iStored in KZ_i(ii) a Group session key K ═ K_i；

Step 3), the group security encryption communication stage specifically comprises the following steps:

after successful negotiation of the group session key K, each CE_iWherein i is 1,2, …, n; n is a natural number greater than 1, group secure encrypted communication can be performed using the group session key K.

Images